Ubuntu
phpmyadmin package

Merge ~athos-ribeiro/ubuntu/+source/phpmyadmin:wdes-sru-set-jammy into ubuntu/+source/phpmyadmin:ubuntu/jammy-devel

  1. Git
  2. lp:~athos-ribeiro/ubuntu/+source/phpmyadmin
  3. wdes-sru-set-jammy
  4. Merge into ubuntu/jammy-devel
Proposed by Athos Ribeiro
Status: Merged
Merged at revision: 19c773fc2ec4af4e89953e4d5e3a444cdfac1515
Proposed branch: ~athos-ribeiro/ubuntu/+source/phpmyadmin:wdes-sru-set-jammy
Merge into: ubuntu/+source/phpmyadmin:ubuntu/jammy-devel
Diff against target: 155 lines (+98/-1)
7 files modified
debian/NEWS (+11/-0)
debian/changelog (+14/-0)
debian/conf/apache.conf (+6/-0)
debian/control (+2/-1)
debian/patches/CVE-2023-25727.patch (+24/-0)
debian/patches/Require-PHP-8.0.patch (+39/-0)
debian/patches/series (+2/-0)
Reviewer Review Type Date Requested Status
William Desportes (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Reporter Pending
Review via email: mp+448616@code.launchpad.net

This proposal supersedes a proposal from 2023-05-13.

Description of the change

Hi William,

This is the jammy SRU MP for LP: #2016015, #2016016, #2016018.

I removed the fix for LP: #2016017 from this MP. Please, refer to that bug for further context.

I pushed the package to a PPA at: https://launchpad.net/~athos-ribeiro/+archive/ubuntu/phpmyadmin-srus/+packages

To post a comment you must log in.
Revision history for this message
William Desportes (williamdes) wrote : Posted in a previous version of this proposal

The diff is 99% the same as the one I had built, so it's okay.

That said while comparing I had some files that where different (non related to the patch):
git diff williamdes_launchpad/ubuntu/jammy-stable..athos-ribeiro/wdes-sru-set-jammy

So I am wondering if your base branch or my base branch where wrong.
Anyway, the debdiff is okay and can be merged on top of the actual version: 4:5.1.1+dfsg1-5ubuntu1

review: Approve (debdiff)
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote : Posted in a previous version of this proposal

Thanks, William.

It seems your branch is based on pkg/applied/ubuntu/jammy-devel while mine is based on pkg/ubuntu/jammy-devel. The former is a branch with the patches from debian/patches already applied. When proposing MPs for jammy, you want to use the latter as a base.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote : Posted in a previous version of this proposal

Adding the server team as a reviewer for visibility.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote : Posted in a previous version of this proposal

Uploaded

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading phpmyadmin_5.1.1+dfsg1-5ubuntu1.1.dsc: done.
  Uploading phpmyadmin_5.1.1+dfsg1-5ubuntu1.1.debian.tar.xz: done.
  Uploading phpmyadmin_5.1.1+dfsg1-5ubuntu1.1_source.buildinfo: done.
  Uploading phpmyadmin_5.1.1+dfsg1-5ubuntu1.1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I am re-submitting this after removing the fix for LP: #2016017 from this MP. Please, refer to that bug for further context.

Revision history for this message
William Desportes (williamdes) :
review: Approve
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Uploaded.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/NEWS b/debian/NEWS
2index 3f51719..2e1490a 100644
3--- a/debian/NEWS
4+++ b/debian/NEWS
5@@ -1,3 +1,14 @@
6+phpmyadmin (4:5.1.1+dfsg1-5ubuntu1.1) jammy; urgency=medium
7+
8+ Due to the delta carried in the Ubuntu PSR stack, phpmyadmin does not run
9+ with PHP versions < 8. We now make it fail gracefully by explicitly
10+ requiring PHP >= 8 instead of allowing phpmyadmin to abruptly crash. In that
11+ case (the user tries to run phpmyadmin with PHP < 8), we now provide useful
12+ error messages so users understand what their next steps should be towards
13+ getting a functional phpmyadmin deployment.
14+
15+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Fri, 12 May 2023 18:05:28 -0300
16+
17 phpmyadmin (4:4.9.1+dfsg1-1) unstable; urgency=low
18
19 phpMyAdmin webbased setup is not included anymore.
20diff --git a/debian/changelog b/debian/changelog
21index 392befb..d759a5f 100644
22--- a/debian/changelog
23+++ b/debian/changelog
24@@ -1,3 +1,17 @@
25+phpmyadmin (4:5.1.1+dfsg1-5ubuntu1.1) jammy; urgency=medium
26+
27+ [ William Desportes ]
28+ * Require PHP >= 8.0 (LP: #2016016)
29+ * Add PHP 8 support on apache2 conf (LP: #2016015)
30+ * Fix XSS vulnerability in drag-and-drop upload (LP: #2016018)
31+ - CVE-2023-25727
32+ - PMASA-2023-1
33+
34+ [ Athos Ribeiro ]
35+ * d/NEWS: document new behavior when running PHP < 8
36+
37+ -- William Desportes <williamdes@wdes.fr> Fri, 14 Apr 2023 18:11:15 +0200
38+
39 phpmyadmin (4:5.1.1+dfsg1-5ubuntu1) jammy; urgency=medium
40
41 * Add patch to drop testImportOsm and
42diff --git a/debian/conf/apache.conf b/debian/conf/apache.conf
43index 9d40aa2..cd8a401 100644
44--- a/debian/conf/apache.conf
45+++ b/debian/conf/apache.conf
46@@ -12,6 +12,12 @@ Alias /phpmyadmin /usr/share/phpmyadmin
47 php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
48 </IfModule>
49
50+ # PHP 8+
51+ <IfModule mod_php.c>
52+ php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
53+ php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
54+ </IfModule>
55+
56 </Directory>
57
58 # Disallow web access to directories that don't need it
59diff --git a/debian/control b/debian/control
60index 2c74be6..6c016e4 100644
61--- a/debian/control
62+++ b/debian/control
63@@ -1,5 +1,6 @@
64 Source: phpmyadmin
65-Maintainer: phpMyAdmin Packaging Team <team+phpmyadmin@tracker.debian.org>
66+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
67+XSBC-Original-Maintainer: phpMyAdmin Packaging Team <team+phpmyadmin@tracker.debian.org>
68 Uploaders: Felipe Sateler <fsateler@debian.org>,
69 Matthias Blümel <debian@blaimi.de>,
70 William Desportes <williamdes@wdes.fr>
71diff --git a/debian/patches/CVE-2023-25727.patch b/debian/patches/CVE-2023-25727.patch
72new file mode 100644
73index 0000000..2482289
74--- /dev/null
75+++ b/debian/patches/CVE-2023-25727.patch
76@@ -0,0 +1,24 @@
77+From: William Desportes <williamdes@wdes.fr>
78+Date: Thu, 30 Mar 2023 22:55:06 +0200
79+Subject: CVE-2023-25727 - XSS vulnerability in drag-and-drop upload
80+
81+Ref: https://www.phpmyadmin.net/security/PMASA-2023-1/
82+
83+Origin: upstream, https://github.com/phpmyadmin/phpmyadmin/commit/efa2406695551667f726497750d3db91fb6f662e
84+---
85+ js/src/drag_drop_import.js | 2 +-
86+ 1 file changed, 1 insertion(+), 1 deletion(-)
87+
88+diff --git a/js/src/drag_drop_import.js b/js/src/drag_drop_import.js
89+index 55250c2..9b8710e 100644
90+--- a/js/src/drag_drop_import.js
91++++ b/js/src/drag_drop_import.js
92+@@ -130,7 +130,7 @@ var DragDropImport = {
93+ var filename = $this.parent('span').attr('data-filename');
94+ $('body').append('<div class="pma_drop_result"><h2>' +
95+ Messages.dropImportImportResultHeader + ' - ' +
96+- filename + '<span class="close">x</span></h2>' + value.message + '</div>');
97++ Functions.escapeHtml(filename) + '<span class="close">x</span></h2>' + value.message + '</div>');
98+ $('.pma_drop_result').draggable(); // to make this dialog draggable
99+ }
100+ });
101diff --git a/debian/patches/Require-PHP-8.0.patch b/debian/patches/Require-PHP-8.0.patch
102new file mode 100644
103index 0000000..01dfe04
104--- /dev/null
105+++ b/debian/patches/Require-PHP-8.0.patch
106@@ -0,0 +1,39 @@
107+From: William Desportes <williamdes@wdes.fr>
108+Date: Fri, 14 Apr 2023 18:06:39 +0200
109+Subject: Require PHP >= 8.0
110+
111+Due to the delta carried in the Ubuntu PSR stack, phpmyadmin does not run with
112+PHP versions < 8. This patch makes it fail gracefully instead of allowing
113+phpmyadmin to abruptly crash, allowing us to provide useful error messages so
114+users understand what their next steps should be towards getting a functional
115+phpmyadmin deployment.
116+
117+Bug: https://github.com/phpmyadmin/phpmyadmin/issues/17503
118+Bug-Ubuntu: https://bugs.launchpad.net/bugs/2016016
119+Origin: vendor
120+Forwarded: not-needed
121+Reviewed-by: Athos Ribeiro <athos.ribeiro@canonical.com>
122+---
123+ libraries/common.inc.php | 8 +++++---
124+ 1 file changed, 5 insertions(+), 3 deletions(-)
125+
126+diff --git a/libraries/common.inc.php b/libraries/common.inc.php
127+index 75f1274..074ad57 100644
128+--- a/libraries/common.inc.php
129++++ b/libraries/common.inc.php
130+@@ -62,10 +62,12 @@ if (getcwd() == __DIR__) {
131+ * Minimum PHP version; can't call Core::fatalError() which uses a
132+ * PHP 5 function, so cannot easily localize this message.
133+ */
134+-if (PHP_VERSION_ID < 70103) {
135++if (PHP_VERSION_ID < 80000) {
136+ die(
137+- '<p>PHP 7.1.3+ is required.</p>'
138+- . '<p>Currently installed version is: ' . PHP_VERSION . '</p>'
139++ '<p>PHP 8.0.0+ is required ('
140++ . '<a href="https://bugs.launchpad.net/ubuntu/+source/symfony/+bug/1975892">Ubuntu Launchpad bug #1975892</a>'
141++ . '&nbsp;and&nbsp;<a href="https://github.com/phpmyadmin/phpmyadmin/issues/17503">phpMyAdmin issue #17503</a>'
142++ . ').</p><p>Currently installed version is: ' . PHP_VERSION . '</p>'
143+ );
144+ }
145+
146diff --git a/debian/patches/series b/debian/patches/series
147index f474c59..ddd1fa2 100644
148--- a/debian/patches/series
149+++ b/debian/patches/series
150@@ -13,3 +13,5 @@ allow-symfony-v5-for-PHP-8-compat.patch
151 php-8.1-test-suite-fix.patch
152 php-8.1-deprecation-fixes.patch
153 drop-testimportosm-and-testdoimport-tests.patch
154+Require-PHP-8.0.patch
155+CVE-2023-25727.patch

Subscribers

People subscribed via source and target branches